fleet/server/service/devices.go

587 lines
20 KiB
Go
Raw Normal View History

package service
import (
"context"
"crypto/x509"
"encoding/json"
"io"
"net/http"
"net/url"
"strconv"
"time"
"github.com/fleetdm/fleet/v4/server/contexts/authz"
authzctx "github.com/fleetdm/fleet/v4/server/contexts/authz"
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
hostctx "github.com/fleetdm/fleet/v4/server/contexts/host"
"github.com/fleetdm/fleet/v4/server/contexts/logging"
"github.com/fleetdm/fleet/v4/server/fleet"
apple_mdm "github.com/fleetdm/fleet/v4/server/mdm/apple"
"github.com/fleetdm/fleet/v4/server/ptr"
)
add headers denoting capabilities between fleet server / desktop / orbit (#7833) This adds a new mechanism to allow us to handle compatibility issues between Orbit, Fleet Server and Fleet Desktop. The general idea is to _always_ send a custom header of the form: ``` fleet-capabilities-header = "X-Fleet-Capabilities:" capabilities capabilities = capability * (,) capability = string ``` Both from the server to the clients (Orbit, Fleet Desktop) and vice-versa. For an example, see: https://github.com/fleetdm/fleet/commit/8c0bbdd291f54e03e19766bcdfead0fb8067f60c Also, the following applies: - Backwards compat: if the header is not present, assume that orbit/fleet doesn't have the capability - The current capabilities endpoint will be removed ### Motivation This solution is trying to solve the following problems: - We have three independent processes communicating with each other (Fleet Desktop, Orbit and Fleet Server). Each process can be updated independently, and therefore we need a way for each process to know what features are supported by its peers. - We originally implemented a dedicated API endpoint in the server that returned a list of the capabilities (or "features") enabled, we found this, and any other server-only solution (like API versioning) to be insufficient because: - There are cases in which the server also needs to know which features are supported by its clients - Clients needed to poll for changes to detect if the capabilities supported by the server change, by sending the capabilities on each request we have a much cleaner way to handling different responses. - We are also introducing an unauthenticated endpoint to get the server features, this gives us flexibility if we need to implement different authentication mechanisms, and was one of the pitfalls of the first implementation. Related to https://github.com/fleetdm/fleet/issues/7929
2022-09-26 10:53:53 +00:00
/////////////////////////////////////////////////////////////////////////////////
// Ping device endpoint
/////////////////////////////////////////////////////////////////////////////////
type devicePingRequest struct{}
type deviceAuthPingRequest struct {
Token string `url:"token"`
}
func (r *deviceAuthPingRequest) deviceAuthToken() string {
return r.Token
}
add headers denoting capabilities between fleet server / desktop / orbit (#7833) This adds a new mechanism to allow us to handle compatibility issues between Orbit, Fleet Server and Fleet Desktop. The general idea is to _always_ send a custom header of the form: ``` fleet-capabilities-header = "X-Fleet-Capabilities:" capabilities capabilities = capability * (,) capability = string ``` Both from the server to the clients (Orbit, Fleet Desktop) and vice-versa. For an example, see: https://github.com/fleetdm/fleet/commit/8c0bbdd291f54e03e19766bcdfead0fb8067f60c Also, the following applies: - Backwards compat: if the header is not present, assume that orbit/fleet doesn't have the capability - The current capabilities endpoint will be removed ### Motivation This solution is trying to solve the following problems: - We have three independent processes communicating with each other (Fleet Desktop, Orbit and Fleet Server). Each process can be updated independently, and therefore we need a way for each process to know what features are supported by its peers. - We originally implemented a dedicated API endpoint in the server that returned a list of the capabilities (or "features") enabled, we found this, and any other server-only solution (like API versioning) to be insufficient because: - There are cases in which the server also needs to know which features are supported by its clients - Clients needed to poll for changes to detect if the capabilities supported by the server change, by sending the capabilities on each request we have a much cleaner way to handling different responses. - We are also introducing an unauthenticated endpoint to get the server features, this gives us flexibility if we need to implement different authentication mechanisms, and was one of the pitfalls of the first implementation. Related to https://github.com/fleetdm/fleet/issues/7929
2022-09-26 10:53:53 +00:00
type devicePingResponse struct{}
func (r devicePingResponse) error() error { return nil }
add headers denoting capabilities between fleet server / desktop / orbit (#7833) This adds a new mechanism to allow us to handle compatibility issues between Orbit, Fleet Server and Fleet Desktop. The general idea is to _always_ send a custom header of the form: ``` fleet-capabilities-header = "X-Fleet-Capabilities:" capabilities capabilities = capability * (,) capability = string ``` Both from the server to the clients (Orbit, Fleet Desktop) and vice-versa. For an example, see: https://github.com/fleetdm/fleet/commit/8c0bbdd291f54e03e19766bcdfead0fb8067f60c Also, the following applies: - Backwards compat: if the header is not present, assume that orbit/fleet doesn't have the capability - The current capabilities endpoint will be removed ### Motivation This solution is trying to solve the following problems: - We have three independent processes communicating with each other (Fleet Desktop, Orbit and Fleet Server). Each process can be updated independently, and therefore we need a way for each process to know what features are supported by its peers. - We originally implemented a dedicated API endpoint in the server that returned a list of the capabilities (or "features") enabled, we found this, and any other server-only solution (like API versioning) to be insufficient because: - There are cases in which the server also needs to know which features are supported by its clients - Clients needed to poll for changes to detect if the capabilities supported by the server change, by sending the capabilities on each request we have a much cleaner way to handling different responses. - We are also introducing an unauthenticated endpoint to get the server features, this gives us flexibility if we need to implement different authentication mechanisms, and was one of the pitfalls of the first implementation. Related to https://github.com/fleetdm/fleet/issues/7929
2022-09-26 10:53:53 +00:00
func (r devicePingResponse) hijackRender(ctx context.Context, w http.ResponseWriter) {
writeCapabilitiesHeader(w, fleet.GetServerDeviceCapabilities())
add headers denoting capabilities between fleet server / desktop / orbit (#7833) This adds a new mechanism to allow us to handle compatibility issues between Orbit, Fleet Server and Fleet Desktop. The general idea is to _always_ send a custom header of the form: ``` fleet-capabilities-header = "X-Fleet-Capabilities:" capabilities capabilities = capability * (,) capability = string ``` Both from the server to the clients (Orbit, Fleet Desktop) and vice-versa. For an example, see: https://github.com/fleetdm/fleet/commit/8c0bbdd291f54e03e19766bcdfead0fb8067f60c Also, the following applies: - Backwards compat: if the header is not present, assume that orbit/fleet doesn't have the capability - The current capabilities endpoint will be removed ### Motivation This solution is trying to solve the following problems: - We have three independent processes communicating with each other (Fleet Desktop, Orbit and Fleet Server). Each process can be updated independently, and therefore we need a way for each process to know what features are supported by its peers. - We originally implemented a dedicated API endpoint in the server that returned a list of the capabilities (or "features") enabled, we found this, and any other server-only solution (like API versioning) to be insufficient because: - There are cases in which the server also needs to know which features are supported by its clients - Clients needed to poll for changes to detect if the capabilities supported by the server change, by sending the capabilities on each request we have a much cleaner way to handling different responses. - We are also introducing an unauthenticated endpoint to get the server features, this gives us flexibility if we need to implement different authentication mechanisms, and was one of the pitfalls of the first implementation. Related to https://github.com/fleetdm/fleet/issues/7929
2022-09-26 10:53:53 +00:00
}
// NOTE: we're intentionally not reading the capabilities header in this
// endpoint as is unauthenticated and we don't want to trust whatever comes in
// there.
func devicePingEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
add headers denoting capabilities between fleet server / desktop / orbit (#7833) This adds a new mechanism to allow us to handle compatibility issues between Orbit, Fleet Server and Fleet Desktop. The general idea is to _always_ send a custom header of the form: ``` fleet-capabilities-header = "X-Fleet-Capabilities:" capabilities capabilities = capability * (,) capability = string ``` Both from the server to the clients (Orbit, Fleet Desktop) and vice-versa. For an example, see: https://github.com/fleetdm/fleet/commit/8c0bbdd291f54e03e19766bcdfead0fb8067f60c Also, the following applies: - Backwards compat: if the header is not present, assume that orbit/fleet doesn't have the capability - The current capabilities endpoint will be removed ### Motivation This solution is trying to solve the following problems: - We have three independent processes communicating with each other (Fleet Desktop, Orbit and Fleet Server). Each process can be updated independently, and therefore we need a way for each process to know what features are supported by its peers. - We originally implemented a dedicated API endpoint in the server that returned a list of the capabilities (or "features") enabled, we found this, and any other server-only solution (like API versioning) to be insufficient because: - There are cases in which the server also needs to know which features are supported by its clients - Clients needed to poll for changes to detect if the capabilities supported by the server change, by sending the capabilities on each request we have a much cleaner way to handling different responses. - We are also introducing an unauthenticated endpoint to get the server features, this gives us flexibility if we need to implement different authentication mechanisms, and was one of the pitfalls of the first implementation. Related to https://github.com/fleetdm/fleet/issues/7929
2022-09-26 10:53:53 +00:00
svc.DisableAuthForPing(ctx)
return devicePingResponse{}, nil
}
func (svc *Service) DisableAuthForPing(ctx context.Context) {
// skipauth: this endpoint is intentionally public to allow devices to ping
// the server and among other things, get the fleet.Capabilities header to
// determine which capabilities are enabled in the server.
svc.authz.SkipAuthorization(ctx)
}
/////////////////////////////////////////////////////////////////////////////////
// Fleet Desktop endpoints
/////////////////////////////////////////////////////////////////////////////////
type fleetDesktopResponse struct {
Err error `json:"error,omitempty"`
fleet.DesktopSummary
}
func (r fleetDesktopResponse) error() error { return r.Err }
type getFleetDesktopRequest struct {
Token string `url:"token"`
}
func (r *getFleetDesktopRequest) deviceAuthToken() string {
return r.Token
}
// getFleetDesktopEndpoint is meant to be the only API endpoint used by Fleet Desktop. This
// endpoint should not include any kind of identifying information about the host.
func getFleetDesktopEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
sum, err := svc.GetFleetDesktopSummary(ctx)
if err != nil {
return fleetDesktopResponse{Err: err}, nil
}
return fleetDesktopResponse{DesktopSummary: sum}, nil
}
func (svc *Service) GetFleetDesktopSummary(ctx context.Context) (fleet.DesktopSummary, error) {
// skipauth: No authorization check needed due to implementation returning
// only license error.
svc.authz.SkipAuthorization(ctx)
return fleet.DesktopSummary{}, fleet.ErrMissingLicense
}
/////////////////////////////////////////////////////////////////////////////////
// Get Current Device's Host
/////////////////////////////////////////////////////////////////////////////////
type getDeviceHostRequest struct {
Token string `url:"token"`
}
func (r *getDeviceHostRequest) deviceAuthToken() string {
return r.Token
}
type getDeviceHostResponse struct {
Host *HostDetailResponse `json:"host"`
OrgLogoURL string `json:"org_logo_url"`
OrgLogoURLLightBackground string `json:"org_logo_url_light_background"`
Err error `json:"error,omitempty"`
License fleet.LicenseInfo `json:"license"`
GlobalConfig fleet.DeviceGlobalConfig `json:"global_config"`
}
func (r getDeviceHostResponse) error() error { return r.Err }
func getDeviceHostEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
host, ok := hostctx.FromContext(ctx)
if !ok {
err := ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("internal error: missing host from request context"))
return getDeviceHostResponse{Err: err}, nil
}
// must still load the full host details, as it returns more information
opts := fleet.HostDetailOptions{
IncludeCVEScores: false,
IncludePolicies: false,
}
hostDetails, err := svc.GetHost(ctx, host.ID, opts)
if err != nil {
return getDeviceHostResponse{Err: err}, nil
}
resp, err := hostDetailResponseForHost(ctx, svc, hostDetails)
if err != nil {
return getDeviceHostResponse{Err: err}, nil
}
// the org logo URL config is required by the frontend to render the page;
// we need to be careful with what we return from AppConfig in the response
// as this is a weakly authenticated endpoint (with the device auth token).
Fix SMTP e-mail send when SMTP server has credentials (#10758) #9609 This PR also fixes #10777. The issue is: We were using `svc.AppConfig` instead of `svc.ds.AppConfig` to retrieve the SMTP credentials. `svc.AppConfig` obfuscates credentials, whereas `svc.ds.AppConfig` does not. To help prevent this from happening again I've renamed `svc.AppConfig` to `svc.AppConfigObfuscated`. I've also added a new test SMTP server (https://github.com/axllent/mailpit) that supports Basic Authentication and tests that make use of it to catch these kind of bugs (the tests are executed when running `go test` with `MAIL_TEST=1`). - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-28 18:23:15 +00:00
ac, err := svc.AppConfigObfuscated(ctx)
if err != nil {
return getDeviceHostResponse{Err: err}, nil
}
license, err := svc.License(ctx)
if err != nil {
2022-05-19 23:29:33 +00:00
return getDeviceHostResponse{Err: err}, nil
}
deviceGlobalConfig := fleet.DeviceGlobalConfig{
MDM: fleet.DeviceGlobalMDMConfig{
EnabledAndConfigured: ac.MDM.EnabledAndConfigured,
},
}
resp.DEPAssignedToFleet = ptr.Bool(false)
if ac.MDM.EnabledAndConfigured && license.IsPremium() {
hdep, err := svc.GetHostDEPAssignment(ctx, host)
if err != nil && !fleet.IsNotFound(err) {
return getDeviceHostResponse{Err: err}, nil
}
resp.DEPAssignedToFleet = ptr.Bool(hdep.IsDEPAssignedToFleet())
}
return getDeviceHostResponse{
Host: resp,
OrgLogoURL: ac.OrgInfo.OrgLogoURL,
License: *license,
GlobalConfig: deviceGlobalConfig,
}, nil
}
func (svc *Service) GetHostDEPAssignment(ctx context.Context, host *fleet.Host) (*fleet.HostDEPAssignment, error) {
alreadyAuthd := svc.authz.IsAuthenticatedWith(ctx, authzctx.AuthnDeviceToken)
if !alreadyAuthd {
if err := svc.authz.Authorize(ctx, host, fleet.ActionRead); err != nil {
return nil, err
}
}
return svc.ds.GetHostDEPAssignment(ctx, host.ID)
}
// AuthenticateDevice returns the host identified by the device authentication
// token, along with a boolean indicating if debug logging is enabled for that
// host.
func (svc *Service) AuthenticateDevice(ctx context.Context, authToken string) (*fleet.Host, bool, error) {
const deviceAuthTokenTTL = time.Hour
// skipauth: Authorization is currently for user endpoints only.
svc.authz.SkipAuthorization(ctx)
if authToken == "" {
return nil, false, ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("authentication error: missing device authentication token"))
}
host, err := svc.ds.LoadHostByDeviceAuthToken(ctx, authToken, deviceAuthTokenTTL)
switch {
case err == nil:
// OK
case fleet.IsNotFound(err):
return nil, false, ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("authentication error: invalid device authentication token"))
default:
return nil, false, ctxerr.Wrap(ctx, err, "authenticate device")
}
return host, svc.debugEnabledForHost(ctx, host.ID), nil
}
/////////////////////////////////////////////////////////////////////////////////
// Refetch Current Device's Host
/////////////////////////////////////////////////////////////////////////////////
type refetchDeviceHostRequest struct {
Token string `url:"token"`
}
func (r *refetchDeviceHostRequest) deviceAuthToken() string {
return r.Token
}
func refetchDeviceHostEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
host, ok := hostctx.FromContext(ctx)
if !ok {
err := ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("internal error: missing host from request context"))
return refetchHostResponse{Err: err}, nil
}
err := svc.RefetchHost(ctx, host.ID)
if err != nil {
return refetchHostResponse{Err: err}, nil
}
return refetchHostResponse{}, nil
}
////////////////////////////////////////////////////////////////////////////////
// List Current Device's Host Device Mappings
////////////////////////////////////////////////////////////////////////////////
type listDeviceHostDeviceMappingRequest struct {
Token string `url:"token"`
}
func (r *listDeviceHostDeviceMappingRequest) deviceAuthToken() string {
return r.Token
}
func listDeviceHostDeviceMappingEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
host, ok := hostctx.FromContext(ctx)
if !ok {
err := ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("internal error: missing host from request context"))
return listHostDeviceMappingResponse{Err: err}, nil
}
dms, err := svc.ListHostDeviceMapping(ctx, host.ID)
if err != nil {
return listHostDeviceMappingResponse{Err: err}, nil
}
return listHostDeviceMappingResponse{HostID: host.ID, DeviceMapping: dms}, nil
}
////////////////////////////////////////////////////////////////////////////////
// Get Current Device's Macadmins
////////////////////////////////////////////////////////////////////////////////
type getDeviceMacadminsDataRequest struct {
Token string `url:"token"`
}
func (r *getDeviceMacadminsDataRequest) deviceAuthToken() string {
return r.Token
}
func getDeviceMacadminsDataEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
host, ok := hostctx.FromContext(ctx)
if !ok {
err := ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("internal error: missing host from request context"))
return getMacadminsDataResponse{Err: err}, nil
}
data, err := svc.MacadminsData(ctx, host.ID)
if err != nil {
return getMacadminsDataResponse{Err: err}, nil
}
return getMacadminsDataResponse{Macadmins: data}, nil
}
////////////////////////////////////////////////////////////////////////////////
// List Current Device's Policies
////////////////////////////////////////////////////////////////////////////////
type listDevicePoliciesRequest struct {
Token string `url:"token"`
}
func (r *listDevicePoliciesRequest) deviceAuthToken() string {
return r.Token
}
type listDevicePoliciesResponse struct {
Err error `json:"error,omitempty"`
Policies []*fleet.HostPolicy `json:"policies"`
}
func (r listDevicePoliciesResponse) error() error { return r.Err }
func listDevicePoliciesEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
host, ok := hostctx.FromContext(ctx)
if !ok {
err := ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("internal error: missing host from request context"))
return listDevicePoliciesResponse{Err: err}, nil
}
data, err := svc.ListDevicePolicies(ctx, host)
if err != nil {
return listDevicePoliciesResponse{Err: err}, nil
}
return listDevicePoliciesResponse{Policies: data}, nil
}
func (svc *Service) ListDevicePolicies(ctx context.Context, host *fleet.Host) ([]*fleet.HostPolicy, error) {
// skipauth: No authorization check needed due to implementation returning
// only license error.
svc.authz.SkipAuthorization(ctx)
return nil, fleet.ErrMissingLicense
}
////////////////////////////////////////////////////////////////////////////////
// Transparency URL Redirect
////////////////////////////////////////////////////////////////////////////////
type transparencyURLRequest struct {
Token string `url:"token"`
}
func (r *transparencyURLRequest) deviceAuthToken() string {
return r.Token
}
type transparencyURLResponse struct {
RedirectURL string `json:"-"` // used to control the redirect, see hijackRender method
Err error `json:"error,omitempty"`
}
func (r transparencyURLResponse) hijackRender(ctx context.Context, w http.ResponseWriter) {
w.Header().Set("Location", r.RedirectURL)
w.WriteHeader(http.StatusTemporaryRedirect)
}
func (r transparencyURLResponse) error() error { return r.Err }
func transparencyURL(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
Fix SMTP e-mail send when SMTP server has credentials (#10758) #9609 This PR also fixes #10777. The issue is: We were using `svc.AppConfig` instead of `svc.ds.AppConfig` to retrieve the SMTP credentials. `svc.AppConfig` obfuscates credentials, whereas `svc.ds.AppConfig` does not. To help prevent this from happening again I've renamed `svc.AppConfig` to `svc.AppConfigObfuscated`. I've also added a new test SMTP server (https://github.com/axllent/mailpit) that supports Basic Authentication and tests that make use of it to catch these kind of bugs (the tests are executed when running `go test` with `MAIL_TEST=1`). - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-28 18:23:15 +00:00
config, err := svc.AppConfigObfuscated(ctx)
if err != nil {
return transparencyURLResponse{Err: err}, nil
}
license, err := svc.License(ctx)
if err != nil {
return transparencyURLResponse{Err: err}, nil
}
transparencyURL := fleet.DefaultTransparencyURL
// Fleet Premium license is required for custom transparency url
if license.IsPremium() && config.FleetDesktop.TransparencyURL != "" {
transparencyURL = config.FleetDesktop.TransparencyURL
}
return transparencyURLResponse{RedirectURL: transparencyURL}, nil
}
////////////////////////////////////////////////////////////////////////////////
// Receive errors from the client
////////////////////////////////////////////////////////////////////////////////
type fleetdErrorRequest struct {
Token string `url:"token"`
fleet.FleetdError
}
func (f *fleetdErrorRequest) deviceAuthToken() string {
return f.Token
}
// Since we're directly storing what we get in Redis, limit the request size to
// 5MB, this combined with the rate limit of this endpoint should be enough to
// prevent a malicious actor.
const maxFleetdErrorReportSize int64 = 5 * 1024 * 1024
func (f *fleetdErrorRequest) DecodeBody(ctx context.Context, r io.Reader, u url.Values, c []*x509.Certificate) error {
limitedReader := io.LimitReader(r, maxFleetdErrorReportSize+1)
decoder := json.NewDecoder(limitedReader)
for {
if err := decoder.Decode(&f.FleetdError); err == io.EOF {
break
} else if err == io.ErrUnexpectedEOF {
return &fleet.BadRequestError{Message: "payload exceeds maximum accepted size"}
} else if err != nil {
return &fleet.BadRequestError{Message: "invalid payload"}
}
}
return nil
}
type fleetdErrorResponse struct{}
func (r fleetdErrorResponse) error() error { return nil }
// for now, this endpoint must always return a 500 status code, this
// way errors are picked up and reported by any monitoring tool that
// looks for 5xx errors.
//
// since the handler is returning an error, this is redundant, but I'm adding
// it as a safeguard.
//
// See: https://github.com/fleetdm/fleet/issues/13238#issuecomment-1671769460
func (r fleetdErrorResponse) Status() int { return http.StatusInternalServerError }
func fleetdError(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
req := request.(*fleetdErrorRequest)
err := svc.ReceiveFleetdError(ctx, req.FleetdError)
// return the error as the second parameter to get better logs in the server.
return fleetdErrorResponse{}, err
}
func (svc *Service) ReceiveFleetdError(ctx context.Context, fleetdError fleet.FleetdError) error {
if !svc.authz.IsAuthenticatedWith(ctx, authz.AuthnDeviceToken) {
return ctxerr.Wrap(ctx, fleet.NewPermissionError("forbidden: only device-authenticated hosts can access this endpoint"))
}
return ctxerr.WrapWithData(ctx, fleetdError, "receive fleetd error", fleetdError.ToMap())
}
////////////////////////////////////////////////////////////////////////////////
// Get Current Device's MDM Apple Enrollment Profile
////////////////////////////////////////////////////////////////////////////////
type getDeviceMDMManualEnrollProfileRequest struct {
Token string `url:"token"`
}
func (r *getDeviceMDMManualEnrollProfileRequest) deviceAuthToken() string {
return r.Token
}
type getDeviceMDMManualEnrollProfileResponse struct {
// Profile field is used in hijackRender for the response.
Profile []byte
Err error `json:"error,omitempty"`
}
func (r getDeviceMDMManualEnrollProfileResponse) hijackRender(ctx context.Context, w http.ResponseWriter) {
// make the browser download the content to a file
w.Header().Add("Content-Disposition", `attachment; filename="fleet-mdm-enrollment-profile.mobileconfig"`)
// explicitly set the content length before the write, so the caller can
// detect short writes (if it fails to send the full content properly)
w.Header().Set("Content-Length", strconv.FormatInt(int64(len(r.Profile)), 10))
// this content type will make macos open the profile with the proper application
w.Header().Set("Content-Type", "application/x-apple-aspen-config; charset=urf-8")
// prevent detection of content, obey the provided content-type
w.Header().Set("X-Content-Type-Options", "nosniff")
if n, err := w.Write(r.Profile); err != nil {
logging.WithExtras(ctx, "err", err, "written", n)
}
}
func (r getDeviceMDMManualEnrollProfileResponse) error() error { return r.Err }
func getDeviceMDMManualEnrollProfileEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
// this call ensures that the authentication was done, no need to actually
// use the host
if _, ok := hostctx.FromContext(ctx); !ok {
err := ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("internal error: missing host from request context"))
return getDeviceMDMManualEnrollProfileResponse{Err: err}, nil
}
profile, err := svc.GetDeviceMDMAppleEnrollmentProfile(ctx)
if err != nil {
return getDeviceMDMManualEnrollProfileResponse{Err: err}, nil
}
return getDeviceMDMManualEnrollProfileResponse{Profile: profile}, nil
}
func (svc *Service) GetDeviceMDMAppleEnrollmentProfile(ctx context.Context) ([]byte, error) {
// must be device-authenticated, no additional authorization is required
if !svc.authz.IsAuthenticatedWith(ctx, authz.AuthnDeviceToken) {
return nil, ctxerr.Wrap(ctx, fleet.NewPermissionError("forbidden: only device-authenticated hosts can access this endpoint"))
}
appConfig, err := svc.ds.AppConfig(ctx)
if err != nil {
return nil, ctxerr.Wrap(ctx, err)
}
mobileConfig, err := apple_mdm.GenerateEnrollmentProfileMobileconfig(
appConfig.OrgInfo.OrgName,
appConfig.ServerSettings.ServerURL,
svc.config.MDM.AppleSCEPChallenge,
svc.mdmPushCertTopic,
)
if err != nil {
return nil, ctxerr.Wrap(ctx, err)
}
return mobileConfig, nil
}
////////////////////////////////////////////////////////////////////////////////
// Request a disk encryption reset
////////////////////////////////////////////////////////////////////////////////
type rotateEncryptionKeyRequest struct {
Token string `url:"token"`
}
func (r *rotateEncryptionKeyRequest) deviceAuthToken() string {
return r.Token
}
type rotateEncryptionKeyResponse struct {
Err error `json:"error,omitempty"`
}
func (r rotateEncryptionKeyResponse) error() error { return r.Err }
func rotateEncryptionKeyEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
host, ok := hostctx.FromContext(ctx)
if !ok {
err := ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("internal error: missing host from request context"))
return rotateEncryptionKeyResponse{Err: err}, nil
}
if err := svc.RequestEncryptionKeyRotation(ctx, host.ID); err != nil {
return rotateEncryptionKeyResponse{Err: err}, nil
}
return rotateEncryptionKeyResponse{}, nil
}
func (svc *Service) RequestEncryptionKeyRotation(ctx context.Context, hostID uint) error {
return fleet.ErrMissingLicense
}
////////////////////////////////////////////////////////////////////////////////
// Signal start of mdm migration on a device
////////////////////////////////////////////////////////////////////////////////
type deviceMigrateMDMRequest struct {
Token string `url:"token"`
}
func (r *deviceMigrateMDMRequest) deviceAuthToken() string {
return r.Token
}
type deviceMigrateMDMResponse struct {
Err error `json:"error,omitempty"`
}
func (r deviceMigrateMDMResponse) error() error { return r.Err }
func (r deviceMigrateMDMResponse) Status() int { return http.StatusNoContent }
func migrateMDMDeviceEndpoint(ctx context.Context, request interface{}, svc fleet.Service) (errorer, error) {
host, ok := hostctx.FromContext(ctx)
if !ok {
err := ctxerr.Wrap(ctx, fleet.NewAuthRequiredError("internal error: missing host from request context"))
return deviceMigrateMDMResponse{Err: err}, nil
}
if err := svc.TriggerMigrateMDMDevice(ctx, host); err != nil {
return deviceMigrateMDMResponse{Err: err}, nil
}
return deviceMigrateMDMResponse{}, nil
}
func (svc *Service) TriggerMigrateMDMDevice(ctx context.Context, host *fleet.Host) error {
return fleet.ErrMissingLicense
}